Twitter two factor authentication is now very much possible without linking a phone number. The social media company updated today that users can now enable two-factor authentication on their account without linking any phone number at all.
While SMS-based Twitter two factor authentication can be a serious problem for people who lose access to code-generating devices or don’t have security keys, it’s very vulnerable to SIM-swapping attacks. Twitter added code generator support a while ago, but still required users to add a phone number to be able to make use of the extra verification and they won’t be able to remove the fallback.
That alone is a big setback for anyone who cares much about their privacy issues on social media, they may not want to link a phone number to their account at all, and Twitter has already conceded that it used phone-numbers to target ads even for users who declined that.
Hackers used SIM-swapping to send tweets from Twitter CEO Jack Dorsey’s account earlier this year, and while the exploit didn’t use two-factor codes, that revealed how vulnerable the SMS-based system can be.
If you already have a phone number linked in your profile, then you can go ahead and remove it now. However, a security engineer noted that you can’t remove the number and rely simply on a security key for access since that’s only supported on the website.
Another 🔑 update today: you can now use Two Factor Authentication without linking a phone number. If you already have your phone number linked along with App-based 2FA, you can unlink your 📞 it in the “Account” section of your settings while still keeping 2FA on. https://t.co/t63iRz2lIy
— Kayvon Beykpour (@kayvz) November 21, 2019